Bug 27636

Summary: vino new security issue CVE-2020-25708
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: vino-3.22.0-7.mga8.src.rpm CVE:
Status comment:

Description David Walser 2020-11-19 14:34:19 CET 
Ubuntu has issued an advisory on November 17:
https://ubuntu.com/security/notices/USN-4636-1

We fixed libvncserver already with 0.9.13.

From Bug 26881, CVE-2019-20840, CVE-2020-14397, CVE-2020-1440[0-4] likely still affect vino too.

Mageia 7 is also affected.
David Walser 2020-11-19 14:34:30 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-11-19 21:36:11 CET 
'vino' has no registered nor consistent maintainer, so assigning this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2020-11-20 06:39:04 CET 
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 3 David Walser 2020-11-20 16:33:28 CET 
vino-3.22.0-3.3.mga7 for the CVE-2020-25708 fix.

What about CVE-2019-20840, CVE-2020-14397, CVE-2020-1440[0-4]?
Comment 4 David GEIGER 2020-11-20 17:35:56 CET 
Already done for CVE-2020-14397 and CVE-2020-1440[0234]!
Comment 5 David GEIGER 2020-11-20 17:36:30 CET 
r1602806 | ns80 | 2020-07-07 11:29:11 +0200 (mar. 07 juil. 2020) | 2 lignes

- add patches for CVE-2020-14397 and CVE-2020-1440[0234] (mga#26882)
Comment 6 David GEIGER 2020-11-20 17:41:19 CET 
This one CVE-2019-20840 does not affect vino as there isn't "libvncserver/ws_decode.c" source code.
Comment 7 David Walser 2020-11-20 20:19:41 CET 
Oh thanks David!  I totally forgot about Bug 26882.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7

Comment 8 David Walser 2020-11-20 20:22:40 CET 
Advisory:
========================

Updated vino package fixes security vulnerability:

libvncserver/rfbserver.c from LibVNCServer, which is bundled by vino, has a
divide by zero issue which could result in denial of service (CVE-2020-25708).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25708
https://ubuntu.com/security/notices/USN-4636-1
========================

Updated packages in core/updates_testing:
========================
vino-3.22.0-3.3.mga7

from vino-3.22.0-3.3.mga7.src.rpm

Assignee: pkg-bugs => qa-bugs
Summary: vino new security issue CVE-2020-25708 (and possibly others) => vino new security issue CVE-2020-25708

Comment 9 Herman Viaene 2020-11-21 15:53:53 CET 
MGA7-64 MATE on  Peaq C1011
No installation issues
Ref bug 26882  Comment 5 for tests (again no Gnome desktop on this notebook)
Note that the command to set the vnc password is dconf-editor (I had to install it, not being there by default)
# /usr/libexec/vino-server
21/11/2020 15:38:06 Autoprobing TCP port in (all) network interface
21/11/2020 15:38:06 Listening IPv6://[::]:5900
21/11/2020 15:38:06 Listening IPv4://0.0.0.0:5900
21/11/2020 15:38:06 Autoprobing selected port 5900
21/11/2020 15:38:06 Advertising security type: 'TLS' (18)
21/11/2020 15:38:06 Re-binding socket to listen for VNC connections on TCP port 5900 in (all) interface
21/11/2020 15:38:06 Listening IPv6://[::]:5900
21/11/2020 15:38:06 Listening IPv4://0.0.0.0:5900
21/11/2020 15:38:06 Clearing securityTypes
21/11/2020 15:38:06 Advertising security type: 'TLS' (18)
21/11/2020 15:38:06 Clearing securityTypes
21/11/2020 15:38:06 Advertising security type: 'TLS' (18)
21/11/2020 15:38:06 Advertising authentication type: 'No Authentication' (1)
21/11/2020 15:38:06 Re-binding socket to listen for VNC connections on TCP port 5900 in (all) interface
21/11/2020 15:38:06 Listening IPv6://[::]:5900
21/11/2020 15:38:06 Listening IPv4://0.0.0.0:5900
21/11/2020 15:38:58 [IPv6] Got connection from client localhost
21/11/2020 15:38:58   other clients:
21/11/2020 15:38:58 Client Protocol Version 3.7
21/11/2020 15:38:58 Advertising security type 18
21/11/2020 15:38:58 Client returned security type 18
21/11/2020 15:38:59 Advertising authentication type 1
21/11/2020 15:38:59 Client returned authentication type 1
21/11/2020 15:40:46 [IPv6] Got connection from client localhost
etc....
Same remark at using vinagre: it connects, but that's it.
also
$ netstat -nl | grep 5900
tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN     
tcp6       0      0 :::5900                 :::*                    LISTEN     
As good as can be here.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 10 Thomas Andrews 2020-11-22 17:24:32 CET 
Validating. Advisory in Comment 8.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 11 Aurelien Oudelet 2020-11-22 18:22:08 CET 
Advisory pushed to SVN.

Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 12 Mageia Robot 2020-11-23 20:53:03 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0439.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED